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DETAILED ACTION 



Claims 1-30 were pending for examination. 



Claim Rejections - 35 USC § 103 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

Claims 1-9, 11-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over Win et al, 
US Pat. No. 6, 182,142, issued Jan 2001 and further in view of Brown et al., US Pat. No. 5, 941,947, 
issued Aug. 1999 (cited in IDS Paper No. 5) 

As per claims 1-3, 5-9, 11-13, 15-21, 23-24, 26-27 ,Win is directed to a method and apparatus 
for controlling access to protected information resources see abstract. 

Win's system enables users (i.e. a first resource requester) to log-in to the system once, and 
thereafter accesses one or more resources during an authenticated session. Win teaches that users 
may log in either with a digital certificate or by opening a log-in page URL with a web browser and 
entering a name and password (i.e. credentials), wherein if the login attempt is successful, the system 
presents the user with a personalized menu displaying only authorized resources to which the user 
has access. The user can then select and access a resource, see col. 6, lines 6-64. 

Win teaches that a browser issues a request, such as " open the resource designated by this 
URL," and provides a URL (i.e. a resource identifier), as a parameter and a Runtime Module 
determines whether the requested URL is or is not a protected resource. Win teaches when the URL 
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is a protected resource, Runtime Module calls the authentication verification service to check 
whether an authenticated user is making the request and that a user is considered authenticated if the 
request contains a "user cookie" that can be decrypted. Win teaches when the URL is protected 
resource and the user is authenticated, Runtime Module calls the authorization verification service to 
check that the user has the right to access the protected resource. 

Win further teaches a registry server managing access to a registry repository (i.e. a resource 
data structure) which comprises an authentication server module, a registry repository, and an access 
control library. The registry repository of Win is the primary data store containing data on users, 
resources and roles and configuration information required for the system, see col. 12, lines 22-67. 

Win fails to teach " mapping the resource request to a resource identifier" and " searching a 
resource data structure for a resource node based on the resource identifier", required by claims 1-2, 
12, 20 and 26 . 

However, Brown teaches access rights of users of a computer network with respect to data 
entities which are specified by a relational data base stored on one or more security servers, see 
abstract. 

Brown discloses a general organization of content objects within a directory service structure 
(i.e. a resource data structure), wherein each content object is represented as a corresponding node of 
one of the directory structure, see col. 12, lines 32-50, see also, Fig.2. 

Brown discloses that the user's access rights with respect to the node of the directory service 
is determined by reading a security token associated with the node (stored as a node property), 
wherein the directory service generates a GetAccountrights call, specifying as parameters of the call, 
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the node's security token and the user's account number (i.e. mapping the resource request to a 
resource identifier) , see col. 15, lines 38-65. 

That is, the directory service of Brown uses the GetAccountRights API to determine the 
access rights of the user with respect to the node , and to thereby determine whether the user is 
authorized to access the node, see col. 15, lines 5-26 and that this access rights information is stored 
within an access rights database on each security server and that the access rights database specifies, 
for each user of the network both (1) the content nodes that can be seen by the user via the directory 
service, and (2) the access operations that can be performed by the user with respect to each content 
node, see col. 16, lines 28-45. 

Brown further teaches that the access rights values of an access control matrix(i.e. a 
compressed version of access rights database) are in the form of privilege level masks with each 
defined bit corresponding to a respective user privilege level, see col. 17, lines 5-67. 

Brown's privilege levels are defined as viewer (none level), observer, user, host, sysop, sysop 
manager, supersysop, wherein sysop manager is given various ownership-type privileges with 
respect to the node, as recited in claims 5, 15, and that the access rights values (i.e. privilege levels) 
may directly specify the access operations that can be performed by the users with , for example bit 
1 specifying whether the user has read/write access, as recited in claims 6-8, 16-18 and 23. 

Brown further teaches that the GetAccountrights API returns either a 16-bit access rights 
value which indicated the user's access rights with respect to the nodes, or else returns a code 
indicating that the user is not authorized to access the node. 

Brown's directory structures are in the form of directed acyclic graphs, see col. 13, lines 51- 
65, as recited in claims 3,13,21 and 27. 
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Brown 's data structure includes the delegation of a resource authorization level from a child 
node to a parent node, see col. 14, line 54 through col. 15, line 26, as recited in claims 9,19, 24 and 
29. 

It would have been obvious to one of ordinary skill in the art at the time the invention was 
made to modify the registry server of the Win to that Brown's Directory service to flexibly manage 
user-specific access rights to different content entities when the number of subscribers may be in the 
millions and the number of content entities may be in the tens of thousands, where these large 
quantities of access rights consumes large amounts of memory and often takes unacceptably long 
period of time to search, see col. 1, line 38 through line 2, line 16 (Brown). 

As per claims 4, 14 , 22 and 28, Win discloses that users may login in either with a digital 
certificate or by opening a login page URL with a web browser and entering a name and password, 
see col. 6, lines 6-16. 

As per claims 25 and 30, Win teaches defining Administrative Roles to delegate 
Administration function, where centralized administration of a system is undesirable. That is, 
Administration Application of Win can delegate administration of users, roles, servers or the system 
to other administrations. This is done trough a special type of role, called Admin role. When the 
Admin Role is assigned to a user, that user has the right to perform administrative functions, see col. 
16, lines 35-67. 

Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over Win et al and Brown 
as applied to claim 9 and further in view of Carter et, US Pat. No. 6,601,171, issued Jul. 2003. 

Carter discloses that the key-oriented certificate (such as SDSI) used to delegate rights 
among entities of distributed computing systems are well known in the art, see col. 1, lines 34-63. 
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It would have been obvious to one ordinary skill in the art at the time the invention was made 
to incorporate such delegation services into Brown's computer network and Win's distributed access 
management to meet the urgent need in achieving seamless distribution of critical resources, and to 
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make the power of computing resources available for more widespread use, see col. 1, lines 23-34, 



see also col. 13, lines 14-42. 



Conclusion 
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